@matthesketh/fleet 1.8.0 → 1.11.0

package/dist/core/testflight/workflow.d.ts

@@ -0,0 +1,17 @@
+export declare function ghVersion(): string | null;
+export declare function resolveRepo(projectPath: string): string | null;
+export declare function repoSecrets(repo: string): string[] | null;
+export interface WorkflowDispatch {
+    ok: boolean;
+    message: string;
+}
+export declare function dispatchWorkflow(repo: string, workflow: string, ref?: string): WorkflowDispatch;
+export interface WorkflowRun {
+    databaseId: number;
+    status: string;
+    conclusion: string | null;
+    url: string;
+    createdAt: string;
+}
+export declare function latestRun(repo: string, workflow: string): WorkflowRun | null;
+export declare function watchRun(repo: string, runId: number): number;

package/dist/core/testflight/workflow.js

@@ -0,0 +1,65 @@
+import { execSafe, execLive } from '../exec.js';
+// an ios .ipa can only be built on macos, so `fleet testflight publish`
+// does not build locally — it dispatches the repo's testflight workflow,
+// which runs on a github-hosted macos runner. every operation here is the
+// github cli driving that workflow.
+// version line of the github cli, or null when it isn't installed.
+export function ghVersion() {
+    const res = execSafe('gh', ['--version'], { timeout: 30_000 });
+    if (!res.ok || !res.stdout)
+        return null;
+    return res.stdout.split('\n').map(l => l.trim()).filter(Boolean)[0] ?? null;
+}
+// owner/name of the github repo backing a project directory, or null when
+// the directory is not a github checkout the gh cli recognises.
+export function resolveRepo(projectPath) {
+    const res = execSafe('gh', ['repo', 'view', '--json', 'nameWithOwner', '-q', '.nameWithOwner'], { cwd: projectPath, timeout: 30_000 });
+    if (!res.ok)
+        return null;
+    return res.stdout.trim() || null;
+}
+// names of the actions secrets configured on a repo, or null when they
+// cannot be listed (gh not authenticated, or no access to the repo).
+export function repoSecrets(repo) {
+    const res = execSafe('gh', ['secret', 'list', '--repo', repo], { timeout: 30_000 });
+    if (!res.ok)
+        return null;
+    return res.stdout
+        .split('\n')
+        .map(l => l.trim().split(/\s+/)[0])
+        .filter(Boolean);
+}
+// dispatch the testflight build workflow. `gh workflow run` queues a
+// workflow_dispatch event and returns no run id, so the caller resolves the
+// resulting run separately via latestRun.
+export function dispatchWorkflow(repo, workflow, ref) {
+    const args = ['workflow', 'run', workflow, '--repo', repo];
+    if (ref)
+        args.push('--ref', ref);
+    const res = execSafe('gh', args, { timeout: 60_000 });
+    return {
+        ok: res.ok,
+        message: (res.ok ? res.stdout : res.stderr).trim() || (res.ok ? 'dispatched' : 'dispatch failed'),
+    };
+}
+// the most recent run of a workflow, or null when it has never run.
+export function latestRun(repo, workflow) {
+    const res = execSafe('gh', [
+        'run', 'list', '--repo', repo, '--workflow', workflow,
+        '--limit', '1', '--json', 'databaseId,status,conclusion,url,createdAt',
+    ], { timeout: 30_000 });
+    if (!res.ok || !res.stdout)
+        return null;
+    try {
+        const runs = JSON.parse(res.stdout);
+        return runs[0] ?? null;
+    }
+    catch {
+        return null;
+    }
+}
+// stream a workflow run to completion, inheriting stdio so progress shows
+// live. returns the exit code — non-zero when the run failed.
+export function watchRun(repo, runId) {
+    return execLive('gh', ['run', 'watch', String(runId), '--repo', repo, '--exit-status']);
+}

package/dist/core/validate.d.ts

@@ -4,4 +4,5 @@ export declare function assertDomain(domain: string): void;
 export declare function assertBranch(branch: string): void;
 export declare function assertHealthPath(path: string): void;
 export declare function assertFilePath(path: string): void;
+export declare function assertComposeFile(name: string): void;
 export declare function assertSecretKey(key: string): void;

package/dist/core/validate.js

@@ -5,6 +5,11 @@ const HEALTH_PATH_RE = /^\/[a-zA-Z0-9/_.-]*$/;
 const SERVICE_NAME_RE = /^[a-zA-Z0-9][a-zA-Z0-9@._-]*$/;
 // Secret keys must be valid env var names (alphanumeric + underscore, no leading digit)
 const SECRET_KEY_RE = /^[a-zA-Z_][a-zA-Z0-9_]*$/;
+// Compose filenames must be a bare filename (no path separators) ending in
+// .yml or .yaml. The value is interpolated into systemd ExecStart directives,
+// so it must not contain quotes, spaces, newlines, or any shell-meaningful
+// character that would let an attacker inject extra `-f` flags or commands.
+const COMPOSE_FILE_RE = /^[A-Za-z0-9_.-]+\.ya?ml$/;
 function assert(value, label, pattern) {
     if (!pattern.test(value)) {
         throw new Error(`Invalid ${label}: "${value}" does not match ${pattern}`);
@@ -37,6 +42,9 @@ export function assertHealthPath(path) {
 export function assertFilePath(path) {
     assertNoTraversal(path, 'file path');
 }
+export function assertComposeFile(name) {
+    assert(name, 'compose filename', COMPOSE_FILE_RE);
+}
 export function assertSecretKey(key) {
     assert(key, 'secret key', SECRET_KEY_RE);
 }

package/dist/mcp/audit-tools.d.ts

@@ -0,0 +1,2 @@
+import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+export declare function registerAuditTools(server: McpServer): void;

package/dist/mcp/audit-tools.js

@@ -0,0 +1,94 @@
+import { existsSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { z } from 'zod';
+import { findGreenlight, runPreflight, runGuidelines } from '../core/audit/greenlight.js';
+import { resolveAuditTarget } from '../core/audit/target.js';
+import { loadAuditCache, saveAuditRecord } from '../core/audit/cache.js';
+import { loadAuditConfig, saveAuditConfig } from '../core/audit/config.js';
+import { applySuppressions } from '../core/audit/suppress.js';
+function text(msg) {
+    return { content: [{ type: 'text', text: msg }] };
+}
+const INSTALL_NOTE = 'greenlight binary not found. Install it with: ' +
+    'go install github.com/RevylAI/greenlight/cmd/greenlight@latest ' +
+    '(or set GREENLIGHT_BIN to an absolute path).';
+export function registerAuditTools(server) {
+    server.tool('fleet_audit_run', 'Run an App Store compliance audit on a mobile app project via greenlight preflight. ' +
+        'Scans source code, the privacy manifest, and metadata for Apple App Store rejection ' +
+        'risks. Target is a registered fleet app name or a path to a mobile project directory. ' +
+        'Returns the full report (findings grouped by CRITICAL/WARN/INFO plus a pass/fail summary).', {
+        target: z.string().describe('Registered app name or path to a mobile project directory'),
+        ipaPath: z.string().optional().describe('Optional path to a built .ipa for binary inspection'),
+    }, async ({ target, ipaPath }) => {
+        if (!findGreenlight())
+            return text(INSTALL_NOTE);
+        const { target: resolved, projectPath } = resolveAuditTarget(target);
+        let ipa;
+        if (ipaPath) {
+            ipa = resolve(ipaPath);
+            if (!existsSync(ipa))
+                return text(`IPA file not found: ${ipa}`);
+        }
+        const raw = runPreflight(projectPath, { ipaPath: ipa });
+        const { report, suppressed } = applySuppressions(raw, resolved, loadAuditConfig().ignore);
+        const record = {
+            target: resolved,
+            projectPath,
+            ...(ipa && { ipaPath: ipa }),
+            ranAt: new Date().toISOString(),
+            report,
+        };
+        saveAuditRecord(record);
+        return text(JSON.stringify({ ...record, suppressed }, null, 2));
+    });
+    server.tool('fleet_audit_status', 'Show the most recent App Store audit results from cache without re-running a scan. ' +
+        'Returns cached audit records (summary plus findings). Use as a cheap first pass before ' +
+        'fleet_audit_run.', { target: z.string().optional().describe('App name or path (omit for all cached audits)') }, async ({ target }) => {
+        const cache = loadAuditCache();
+        const all = Object.values(cache.audits);
+        if (all.length === 0)
+            return text('No audits cached. Run fleet_audit_run first.');
+        if (target) {
+            const rec = cache.audits[target] ?? all.find(a => a.projectPath === resolve(target));
+            if (!rec)
+                return text(`No cached audit for "${target}". Run fleet_audit_run.`);
+            return text(JSON.stringify(rec, null, 2));
+        }
+        return text(JSON.stringify(all, null, 2));
+    });
+    server.tool('fleet_audit_ignore', 'Suppress a confirmed greenlight false positive from future audits. The finding is ' +
+        'matched by its exact title, optionally narrowed to a target and to findings whose file ' +
+        'or code contains a substring. Every rule must carry a reason. Suppressed findings are ' +
+        'dropped and the pass/fail summary is recomputed on subsequent fleet_audit_run calls.', {
+        title: z.string().describe('Exact greenlight finding title to suppress'),
+        reason: z.string().describe('Why this finding is a false positive'),
+        target: z.string().optional().describe('Limit the rule to one audit target'),
+        contains: z.string().optional().describe('Only suppress findings whose file/code contains this substring'),
+    }, async ({ title, reason, target, contains }) => {
+        const config = loadAuditConfig();
+        config.ignore.push({
+            ...(target && { target }),
+            title,
+            ...(contains && { contains }),
+            reason,
+            addedAt: new Date().toISOString(),
+        });
+        saveAuditConfig(config);
+        return text(`Ignoring "${title}"${target ? ` for ${target}` : ''}: ${reason}`);
+    });
+    server.tool('fleet_audit_guidelines', 'Look up Apple App Store Review Guidelines via greenlight. action "list" returns all ' +
+        'sections, "show" returns one section (query is a section number like "2.1"), "search" ' +
+        'matches a keyword (query is the term). Use to interpret a finding\'s guideline reference ' +
+        'or to guide a fix.', {
+        action: z.enum(['list', 'show', 'search']).describe('list, show, or search'),
+        query: z.string().optional().describe('Section number for show (e.g. "2.1") or keyword for search'),
+    }, async ({ action, query }) => {
+        if (!findGreenlight())
+            return text(INSTALL_NOTE);
+        if ((action === 'show' || action === 'search') && !query) {
+            return text(`'${action}' requires a query argument`);
+        }
+        const args = action === 'list' ? ['list'] : [action, query];
+        return text(runGuidelines(args));
+    });
+}

package/dist/mcp/git-tools.js

@@ -49,7 +49,7 @@ export function registerGitTools(server) {
             const plan = describeOnboardPlan(scenario, app.name, status);
             return text(`Scenario: ${scenario}\nRoot: ${root}\n\nPlan:\n${plan.map((s, i) => `${i + 1}. ${s}`).join('\n')}`);
         }
-        const result = executeOnboard(scenario, root, app.name, app.name, status);
+        const result = await executeOnboard(scenario, root, app.name, app.name, status);
         return text(`Onboarded ${app.name} (${result.scenario})\n\nSteps:\n${result.steps.map(s => `- ${s}`).join('\n')}\n\nRepo: ${result.repoUrl}`);
     });
     server.tool('fleet_git_branch', 'Create a feature branch from develop (or other base) and push it', {

package/dist/mcp/registry-bridge.d.ts

@@ -0,0 +1,10 @@
+import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+export interface BridgeTool {
+    toolName: string;
+    summary: string;
+    cliOnly?: boolean;
+}
+/** registry commands as flat tool descriptors, for inspection and tests. */
+export declare function collectRegistryTools(): BridgeTool[];
+/** registers every non-cliOnly registry command as an mcp tool. */
+export declare function registerRegistryTools(server: McpServer): void;

package/dist/mcp/registry-bridge.js

@@ -0,0 +1,65 @@
+import { loadRegistry } from '../registry/index.js';
+import { allCommands } from '../registry/registry.js';
+import { makeMcpContext } from '../registry/context.js';
+/**
+ * the mcp tool name for a registry command. ':' namespacing is not legal in
+ * tool names, so subcommands collapse to underscores. this string is the
+ * cross-surface contract, so both bridge functions derive it the same way.
+ */
+function toMcpToolName(commandName) {
+    return 'fleet_' + commandName.replace(/:/g, '_');
+}
+/** registry commands as flat tool descriptors, for inspection and tests. */
+export function collectRegistryTools() {
+    loadRegistry();
+    return allCommands()
+        .filter(def => !def.cliOnly)
+        .map(def => ({ toolName: toMcpToolName(def.name), summary: def.summary }));
+}
+/** registers every non-cliOnly registry command as an mcp tool. */
+export function registerRegistryTools(server) {
+    loadRegistry();
+    for (const def of allCommands()) {
+        if (def.cliOnly)
+            continue;
+        server.tool(toMcpToolName(def.name), def.summary, def.args.shape, async (args) => {
+            // `confirm` is mcp surface plumbing, not a command arg — read it from the
+            // raw input before the schema parse below strips unknown keys.
+            const ctx = makeMcpContext(args.confirm === true);
+            try {
+                // validate, coerce and default args against the command schema — the
+                // same safeParse the cli dispatcher runs via parseArgs, so both
+                // surfaces invoke `run` with an identically-validated args shape.
+                const parsed = def.args.safeParse(args);
+                if (!parsed.success) {
+                    const detail = parsed.error.issues
+                        .map(iss => `${iss.path.join('.')}: ${iss.message}`)
+                        .join('; ');
+                    return {
+                        content: [{ type: 'text', text: `invalid arguments: ${detail}` }],
+                        isError: true,
+                    };
+                }
+                const result = await def.run(parsed.data, ctx);
+                return {
+                    content: [{ type: 'text', text: result.summary }],
+                    // structuredContent must be an object — only attach it when the
+                    // command actually returned one, otherwise the sdk rejects the shape.
+                    ...(result.data && typeof result.data === 'object'
+                        ? { structuredContent: result.data }
+                        : {}),
+                    isError: !result.ok,
+                };
+            }
+            catch (err) {
+                // the bridge is the single funnel for every migrated command — a
+                // thrown handler must still surface as a structured tool failure,
+                // not an opaque transport-level rejection.
+                return {
+                    content: [{ type: 'text', text: err instanceof Error ? err.message : String(err) }],
+                    isError: true,
+                };
+            }
+        });
+    }
+}

package/dist/mcp/secrets-tools.js

@@ -19,7 +19,7 @@ export function registerSecretsTools(server) {
         value: z.string().describe('Secret value'),
     }, async ({ app, key, value }) => {
         requireVault();
-        setSecret(app, key, value);
+        await setSecret(app, key, value);
         return text(`Set ${key} for ${app} in vault. Run fleet_secrets_unseal + restart the app to apply at runtime.`);
     });
     server.tool('fleet_secrets_get', 'Get a single decrypted secret value from the vault. ' +
@@ -41,7 +41,7 @@ export function registerSecretsTools(server) {
         app: z.string().optional().describe('App name (omit to seal all apps)'),
     }, async ({ app }) => {
         requireVault();
-        const sealed = sealFromRuntime(app);
+        const sealed = await sealFromRuntime(app);
         return text(`Sealed ${sealed.length} app(s): ${sealed.join(', ')}. Changes will now persist across reboots.`);
     });
     server.tool('fleet_secrets_drift', 'Detect drift between vault (encrypted, survives reboot) and runtime (/run/fleet-secrets/, lost on reboot). ' +

package/dist/mcp/server.js

@@ -4,26 +4,25 @@ import { fileURLToPath } from 'node:url';
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 import { z } from 'zod';
-import { getStatusData } from '../commands/status.js';
-import { load, findApp, save, addApp } from '../core/registry.js';
-import { startService, stopService, restartService } from '../core/systemd.js';
+import { load, findApp, addApp, withRegistry } from '../core/registry.js';
+import { restartService } from '../core/systemd.js';
 import { getContainerLogs, getContainersByCompose } from '../core/docker.js';
-import { checkHealth, checkAllHealth } from '../core/health.js';
 import { listSites, installConfig, testConfig, reload, removeConfig } from '../core/nginx.js';
 import { generateNginxConfig } from '../templates/nginx.js';
 import { composeBuild } from '../core/docker.js';
-import { execSafe } from '../core/exec.js';
 import { AppNotFoundError } from '../core/errors.js';
-import { assertAppName, assertServiceName, assertFilePath, assertDomain } from '../core/validate.js';
+import { assertAppName, assertServiceName, assertFilePath, assertDomain, assertComposeFile } from '../core/validate.js';
 import { loadManifest, listSecrets, isInitialized } from '../core/secrets.js';
 import { unsealAll, getStatus as getSecretsStatus } from '../core/secrets-ops.js';
 import { validateApp, validateAll } from '../core/secrets-validate.js';
-import { freezeApp, unfreezeApp } from '../commands/freeze.js';
 import { registerGitTools } from './git-tools.js';
 import { registerSecretsTools } from './secrets-tools.js';
+import { registerRegistryTools } from './registry-bridge.js';
 import { readContainerLogs, getLogStatus, effectivePolicy } from '../core/logs-policy.js';
 import { snapshotEgress } from '../core/egress.js';
 import { registerDepsTools } from './deps-tools.js';
+import { registerAuditTools } from './audit-tools.js';
+import { registerTestflightTools } from './testflight-tools.js';
 function requireApp(name) {
     const reg = load();
     const app = findApp(reg, name);
@@ -41,29 +40,7 @@ export async function startMcpServer() {
         name: 'fleet',
         version: pkg.version,
     });
-    server.tool('fleet_status', 'Dashboard data for all apps: systemd state, containers, health', async () => {
-        const data = getStatusData();
-        return text(JSON.stringify(data, null, 2));
-    });
-    server.tool('fleet_list', 'List all registered apps with their configuration', async () => {
-        const reg = load();
-        return text(JSON.stringify(reg.apps, null, 2));
-    });
-    server.tool('fleet_start', 'Start an app via systemctl', { app: z.string().describe('App name') }, async ({ app }) => {
-        const entry = requireApp(app);
-        const ok = startService(entry.serviceName);
-        return text(ok ? `Started ${entry.name}` : `Failed to start ${entry.name}`);
-    });
-    server.tool('fleet_stop', 'Stop an app via systemctl', { app: z.string().describe('App name') }, async ({ app }) => {
-        const entry = requireApp(app);
-        const ok = stopService(entry.serviceName);
-        return text(ok ? `Stopped ${entry.name}` : `Failed to stop ${entry.name}`);
-    });
-    server.tool('fleet_restart', 'Restart an app via systemctl', { app: z.string().describe('App name') }, async ({ app }) => {
-        const entry = requireApp(app);
-        const ok = restartService(entry.serviceName);
-        return text(ok ? `Restarted ${entry.name}` : `Failed to restart ${entry.name}`);
-    });
+    registerRegistryTools(server);
     server.tool('fleet_logs', 'DEPRECATED — prefer fleet_logs_recent (token-conservative defaults) or fleet_logs_summary. Get recent container logs for an app.', {
         app: z.string().describe('App name'),
         container: z.string().optional().describe('Container name (omit to list available containers, or get logs from first)'),
@@ -196,18 +173,6 @@ export async function startMcpServer() {
         }
         return text(JSON.stringify(out, null, 2));
     });
-    server.tool('fleet_health', 'Run health checks for one or all apps', { app: z.string().optional().describe('App name (omit for all apps)') }, async ({ app }) => {
-        const reg = load();
-        if (app) {
-            const entry = findApp(reg, app);
-            if (!entry)
-                throw new AppNotFoundError(app);
-            const result = checkHealth(entry);
-            return text(JSON.stringify(result, null, 2));
-        }
-        const results = checkAllHealth(reg.apps);
-        return text(JSON.stringify(results, null, 2));
-    });
     server.tool('fleet_deploy', 'Deploy an app: build and restart', { app: z.string().describe('App name') }, async ({ app }) => {
         const entry = requireApp(app);
         const buildOk = composeBuild(entry.composePath, entry.composeFile, entry.name);
@@ -287,7 +252,7 @@ export async function startMcpServer() {
             if (params.serviceName)
                 assertServiceName(params.serviceName);
             if (params.composeFile)
-                assertFilePath(params.composeFile);
+                assertComposeFile(params.composeFile);
             for (const d of (params.domains ?? []))
                 assertDomain(d);
         }
@@ -297,8 +262,6 @@ export async function startMcpServer() {
         if (!existsSync(params.composePath)) {
             return text(`Error: composePath does not exist: ${params.composePath}`);
         }
-        const reg = load();
-        const existing = findApp(reg, params.name);
         let containers = params.containers;
         if (!containers || containers.length === 0) {
             containers = getContainersByCompose(params.composePath, params.composeFile ?? null);
@@ -319,48 +282,19 @@ export async function startMcpServer() {
             dependsOnDatabases: params.dependsOnDatabases,
             registeredAt: new Date().toISOString(),
         };
-        save(addApp(reg, entry));
-        const action = existing ? 'Updated' : 'Registered';
+        let existed = false;
+        await withRegistry(reg => {
+            existed = !!findApp(reg, params.name);
+            return addApp(reg, entry);
+        });
+        const action = existed ? 'Updated' : 'Registered';
         return text(`${action} app "${params.name}":\n${JSON.stringify(entry, null, 2)}`);
     });
-    server.tool('fleet_freeze', 'Freeze a crash-looping service: stop it, disable it, and mark it frozen in the registry. Requires manual unfreezing.', {
-        app: z.string().describe('App name'),
-        reason: z.string().optional().describe('Reason for freezing'),
-    }, async ({ app, reason }) => {
-        freezeApp(app, reason);
-        return text(`Frozen ${app}${reason ? `: ${reason}` : ''}`);
-    });
-    server.tool('fleet_unfreeze', 'Unfreeze a frozen service: clear frozen state, enable and start the service.', { app: z.string().describe('App name') }, async ({ app }) => {
-        unfreezeApp(app);
-        return text(`Unfrozen ${app} — service enabled and started`);
-    });
-    server.tool('fleet_rollback', 'Roll back an app to its previous image (tagged <repo>:fleet-previous before the last build) and restart the service. Use this when a recent deploy or boot-refresh produced a broken image.', { app: z.string().describe('App name') }, async ({ app }) => {
-        const entry = requireApp(app);
-        // Resolve current image name via compose config
-        const config = execSafe('docker', ['compose', ...(entry.composeFile ? ['-f', entry.composeFile] : []), 'config', '--images'], { cwd: entry.composePath, timeout: 15_000 });
-        if (!config.ok)
-            return text(`Could not resolve image name for ${entry.name}: ${config.stderr}`);
-        const latest = config.stdout.split('\n').filter(Boolean)[0];
-        if (!latest)
-            return text(`Could not resolve image name for ${entry.name}`);
-        // Compute previous tag via lastIndexOf (handles registry:port/repo:tag)
-        const lastColon = latest.lastIndexOf(':');
-        const base = lastColon > 0 ? latest.slice(0, lastColon) : latest;
-        const previous = `${base}:fleet-previous`;
-        if (!execSafe('docker', ['image', 'inspect', previous], { timeout: 10_000 }).ok) {
-            return text(`No previous image found (${previous}) — nothing to roll back to`);
-        }
-        const tag = execSafe('docker', ['tag', previous, latest], { timeout: 10_000 });
-        if (!tag.ok)
-            return text(`docker tag failed: ${tag.stderr}`);
-        const ok = restartService(entry.serviceName);
-        return text(ok
-            ? `Rolled back ${entry.name} to ${previous}`
-            : `Tag flipped but service restart failed for ${entry.serviceName}`);
-    });
     registerGitTools(server);
     registerSecretsTools(server);
     registerDepsTools(server);
+    registerAuditTools(server);
+    registerTestflightTools(server);
     const transport = new StdioServerTransport();
     await server.connect(transport);
 }

package/dist/mcp/testflight-tools.d.ts

@@ -0,0 +1,2 @@
+import type { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+export declare function registerTestflightTools(server: McpServer): void;

package/dist/mcp/testflight-tools.js

@@ -0,0 +1,52 @@
+import { z } from 'zod';
+import { resolveTestflightTarget, appSecretsEnv } from '../core/testflight/resolve.js';
+import { resolveAscCredentials, hasAscCredentials } from '../core/testflight/credentials.js';
+import { listBuilds, verifyApp } from '../core/testflight/asc.js';
+import { ghVersion, resolveRepo } from '../core/testflight/workflow.js';
+function text(msg) {
+    return { content: [{ type: 'text', text: msg }] };
+}
+export function registerTestflightTools(server) {
+    server.tool('fleet_testflight_builds', "List an app's TestFlight builds via the App Store Connect API — build number, " +
+        'version, processing state and expiry. Requires the app\'s ASC credentials and ' +
+        'ASC_APP_ID in its fleet secrets.', { app: z.string().describe('Registered fleet app name') }, async ({ app }) => {
+        const { app: name } = resolveTestflightTarget(app);
+        const env = appSecretsEnv(name);
+        if (!hasAscCredentials(env)) {
+            return text(`App Store Connect credentials missing for ${name}.`);
+        }
+        const ascAppId = env.ASC_APP_ID;
+        if (!ascAppId)
+            return text(`ASC_APP_ID not set for ${name}.`);
+        const builds = await listBuilds(resolveAscCredentials(env), ascAppId);
+        return text(JSON.stringify(builds, null, 2));
+    });
+    server.tool('fleet_testflight_doctor', 'Check TestFlight publishing readiness for an app: GitHub CLI availability, the ' +
+        'GitHub repo backing the build workflow, App Store Connect credentials, and — when ' +
+        'ASC_APP_ID is set — that the ASC API is reachable.', { app: z.string().describe('Registered fleet app name') }, async ({ app }) => {
+        const { app: name, projectPath } = resolveTestflightTarget(app);
+        const env = appSecretsEnv(name);
+        const lines = [
+            `gh cli: ${ghVersion() ?? 'not found'}`,
+            `github repo: ${resolveRepo(projectPath) ?? 'not resolved'}`,
+        ];
+        if (!hasAscCredentials(env)) {
+            lines.push('asc credentials: missing — need ASC_API_KEY_ID, ASC_API_KEY_ISSUER_ID, ASC_API_KEY_B64');
+            return text(lines.join('\n'));
+        }
+        lines.push('asc credentials: present');
+        if (env.ASC_APP_ID) {
+            try {
+                const appName = await verifyApp(resolveAscCredentials(env), env.ASC_APP_ID);
+                lines.push(`asc api: reachable — app "${appName}"`);
+            }
+            catch (err) {
+                lines.push(`asc api: check failed — ${err.message}`);
+            }
+        }
+        else {
+            lines.push('asc app id: not set');
+        }
+        return text(lines.join('\n'));
+    });
+}

package/dist/registry/context.d.ts

@@ -0,0 +1,7 @@
+import type { CommandContext } from './types.js';
+/** cli context: confirm prompts on stdin, log writes to stderr. */
+export declare function makeCliContext(): CommandContext;
+/** mcp context: confirm is pre-resolved from the tool's `confirm` argument.
+ *  per-event logs are silently dropped — the command result's `summary` is
+ *  the sole output channel on the mcp surface. */
+export declare function makeMcpContext(confirmGranted: boolean): CommandContext;

package/dist/registry/context.js

@@ -0,0 +1,37 @@
+import { createInterface } from 'node:readline';
+/** cli context: confirm prompts on stdin, log writes to stderr. */
+export function makeCliContext() {
+    return {
+        env: process.env,
+        log(event) {
+            process.stderr.write(`[${event.level}] ${event.message}\n`);
+        },
+        confirm(prompt) {
+            const rl = createInterface({ input: process.stdin, output: process.stderr });
+            return new Promise(resolve => {
+                // stdin EOF / SIGINT closes the interface — treat that as a "no".
+                rl.on('close', () => resolve(false));
+                rl.question(`${prompt} [y/N] `, answer => {
+                    // resolve before close: the first resolve wins, so the close
+                    // handler firing afterwards is a harmless no-op.
+                    resolve(/^y(es)?$/i.test(answer.trim()));
+                    rl.close();
+                });
+            });
+        },
+    };
+}
+/** mcp context: confirm is pre-resolved from the tool's `confirm` argument.
+ *  per-event logs are silently dropped — the command result's `summary` is
+ *  the sole output channel on the mcp surface. */
+export function makeMcpContext(confirmGranted) {
+    return {
+        env: process.env,
+        log() {
+            // mcp surfaces collect output via the result; per-event logs are dropped.
+        },
+        async confirm() {
+            return confirmGranted;
+        },
+    };
+}

package/dist/registry/index.d.ts

@@ -0,0 +1,5 @@
+/** registers every CommandDef. idempotent — safe to call from each surface. */
+export declare function loadRegistry(): void;
+/** test-only: resets the loaded flag and clears the registry, so a test can
+ *  re-run loadRegistry from a clean state. */
+export declare function _resetLoader(): void;

package/dist/registry/index.js

@@ -0,0 +1,44 @@
+import { register, _resetRegistry } from './registry.js';
+import { addCommand } from '../commands/add.js';
+import { listCommand } from '../commands/list.js';
+import { statusCommand } from '../commands/status.js';
+import { startCommand } from '../commands/start.js';
+import { stopCommand } from '../commands/stop.js';
+import { restartCommand } from '../commands/restart.js';
+import { healthCommand } from '../commands/health.js';
+import { freezeCommand, unfreezeCommand } from '../commands/freeze.js';
+import { rollbackCommand } from '../commands/rollback.js';
+import { removeCommand } from '../commands/remove.js';
+import { initCommand } from '../commands/init.js';
+import { patchSystemdCommand } from '../commands/patch-systemd.js';
+import { bootStartCommand } from '../commands/boot-start.js';
+import { installMcpCommand } from '../commands/install-mcp.js';
+import { updateCommand } from '../commands/update.js';
+import { doctorCommand } from '../commands/doctor.js';
+import { configCommand, whoamiCommand } from '../commands/config.js';
+import { completionsCommand } from '../commands/completions.js';
+/** every command definition. commands are added here as they are migrated
+ *  onto the registry. */
+const ALL = [
+    addCommand, statusCommand, listCommand, startCommand, stopCommand, restartCommand,
+    healthCommand, freezeCommand, unfreezeCommand, rollbackCommand, removeCommand,
+    initCommand, patchSystemdCommand, bootStartCommand, installMcpCommand,
+    updateCommand, doctorCommand, configCommand, whoamiCommand, completionsCommand,
+];
+let loaded = false;
+/** registers every CommandDef. idempotent — safe to call from each surface. */
+export function loadRegistry() {
+    if (loaded)
+        return;
+    _resetRegistry();
+    for (const def of ALL) {
+        register(def);
+    }
+    loaded = true;
+}
+/** test-only: resets the loaded flag and clears the registry, so a test can
+ *  re-run loadRegistry from a clean state. */
+export function _resetLoader() {
+    loaded = false;
+    _resetRegistry();
+}

package/dist/registry/parse-args.d.ts

@@ -0,0 +1,13 @@
+import { z } from 'zod';
+export type ParseResult = {
+    help: true;
+} | {
+    help: false;
+    ok: true;
+    values: Record<string, unknown>;
+} | {
+    help: false;
+    ok: false;
+    error: string;
+};
+export declare function parseArgs(schema: z.ZodObject<z.ZodRawShape>, argv: string[]): ParseResult;